nixos/routnerr-2: add lan0 VLAN for trusted devices

Signed-off-by: Matt Layher <mdlayher@gmail.com>

nixos/lib/vargen/main.go

@@ -19,15 +19,27 @@ func main() {
 	lla := prefix("fe80::/64")
 
 	// The primary subnet: all servers and network infrastructure live here.
-	lan0 := subnet{
-		Name: "enp2s0",
-		IPv4: prefix("192.168.1.0/24"),
-		IPv6: ipv6Prefixes{
-			GUA: prefix("2600:6c4a:7880:3200::/64"),
-			LLA: lla,
-			ULA: prefix("fd9e:1a04:f01d::/64"),
-		},
-	}
+	var (
+		enp2s0 = subnet{
+			Name: "enp2s0",
+			IPv4: prefix("192.168.1.0/24"),
+			IPv6: ipv6Prefixes{
+				GUA: prefix("2600:6c4a:7880:3200::/64"),
+				LLA: lla,
+				ULA: prefix("fd9e:1a04:f01d::/64"),
+			},
+		}
+
+		lan0 = subnet{
+			Name: "lan0",
+			IPv4: prefix("192.168.10.0/24"),
+			IPv6: ipv6Prefixes{
+				GUA: prefix("2600:6c4a:7880:3210::/64"),
+				LLA: lla,
+				ULA: prefix("fd9e:1a04:f01d:10::/64"),
+			},
+		}
+	)
 
 	// Set up the output structure and create host/infra records.
 	out := output{
@@ -35,19 +47,19 @@ func main() {
 			Servers: []host{
 				newHost(
 					"servnerr-3",
-					lan0,
+					enp2s0,
 					ip("192.168.1.4"),
 					mac("1c:1b:0d:ea:83:0f"),
 				),
 				newHost(
 					"nerr-3",
-					lan0,
+					enp2s0,
 					ip("192.168.1.9"),
 					mac("04:d9:f5:7e:1c:47"),
 				),
 				newHost(
 					"monitnerr-1",
-					lan0,
+					enp2s0,
 					ip("192.168.1.11"),
 					mac("dc:a6:32:1e:66:94"),
 				),
@@ -55,19 +67,19 @@ func main() {
 			Infra: []host{
 				newHost(
 					"switch-livingroom01",
-					lan0,
+					enp2s0,
 					ip("192.168.1.2"),
 					mac("f0:9f:c2:0b:28:ca"),
 				),
 				newHost(
 					"switch-office01",
-					lan0,
+					enp2s0,
 					ip("192.168.1.3"),
 					mac("f0:9f:c2:ce:7e:e1"),
 				),
 				newHost(
 					"ap-livingroom02",
-					lan0,
+					enp2s0,
 					ip("192.168.1.5"),
 					mac("74:83:c2:7a:c6:15"),
 				),
@@ -77,6 +89,7 @@ func main() {
 
 	// Attach interface definitions from subnet definitions.
 	// TODO: compute interface properties from subnets instead.
+	out.addInterface("enp2s0", enp2s0)
 	out.addInterface("lan0", lan0)
 
 	out.addInterface("guest0", subnet{
@@ -160,9 +173,9 @@ type ipv6Addresses struct {
 
 func newInterface(s subnet) iface {
 	// TODO: this is a hack, come up with another convention to denote the
-	// management VLAN.
+	// primary VLAN.
 	var internal bool
-	if s.Name == "enp2s0" {
+	if s.Name == "lan0" || s.Name == "enp2s0" {
 		internal = true
 	}
 

nixos/lib/vars.json

@@ -66,6 +66,16 @@
 		]
 	},
 	"interfaces": {
+		"enp2s0": {
+			"name": "enp2s0",
+			"internal_domain": true,
+			"ipv4": "192.168.1.1",
+			"ipv6": {
+				"gua": "2600:6c4a:7880:3200::1",
+				"ula": "fd9e:1a04:f01d::1",
+				"lla": "fe80::1"
+			}
+		},
 		"guest0": {
 			"name": "guest0",
 			"internal_domain": false,
@@ -97,12 +107,12 @@
 			}
 		},
 		"lan0": {
-			"name": "enp2s0",
+			"name": "lan0",
 			"internal_domain": true,
-			"ipv4": "192.168.1.1",
+			"ipv4": "192.168.10.1",
 			"ipv6": {
-				"gua": "2600:6c4a:7880:3200::1",
-				"ula": "fd9e:1a04:f01d::1",
+				"gua": "2600:6c4a:7880:3210::1",
+				"ula": "fd9e:1a04:f01d:10::1",
 				"lla": "fe80::1"
 			}
 		},

nixos/routnerr-2/corerad.nix

@@ -45,7 +45,7 @@ in {
                 '' else
                   ""
               }
-              '') [ lan0 guest0 iot0 lab0 ]}
+              '') [ enp2s0 lan0 guest0 iot0 lab0 ]}
           '';
   };
 }

nixos/routnerr-2/dhcpd4.nix

@@ -13,6 +13,7 @@ let
 in {
   services.dhcpd4 = {
     interfaces = with vars.interfaces; [
+      "${enp2s0.name}"
       "${lan0.name}"
       "${guest0.name}"
       "${iot0.name}"
@@ -57,7 +58,7 @@ in {
                 ""
             }
           }
-            '') [ lan0 guest0 iot0 lab0 ]}
+            '') [ enp2s0 lan0 guest0 iot0 lab0 ]}
     '';
   };
 }

nixos/routnerr-2/dhcpd6.nix

@@ -5,6 +5,7 @@ let vars = import ./lib/vars.nix;
 in {
   services.dhcpd6 = {
     interfaces = with vars.interfaces; [
+      "${enp2s0.name}"
       "${lan0.name}"
       "${guest0.name}"
       "${iot0.name}"
@@ -46,7 +47,7 @@ in {
                 ""
             }
           }
-            '') [ lan0 guest0 iot0 lab0 ]}
+            '') [ enp2s0 lan0 guest0 iot0 lab0 ]}
     '';
   };
 }

nixos/routnerr-2/networking.nix

@@ -39,7 +39,7 @@ in {
           ipv6rs
           # DHCPv6-PD.
           ia_na 0
-          ia_pd 1/::/56 ${lan0.name}/0/64 ${lab0.name}/2/64 ${guest0.name}/9/64 ${iot0.name}/102/64
+          ia_pd 1/::/56 ${enp2s0.name}/0/64 ${lab0.name}/2/64 ${guest0.name}/9/64 ${lan0.name}/10/64 ${iot0.name}/102/64
 
           # IPv4 DHCP ISP settings overrides.
           static domain_name_servers=${vars.localhost.ipv4}
@@ -49,6 +49,7 @@ in {
     };
 
     interfaces = with vars.interfaces; {
+      ${enp2s0.name} = mkInterface enp2s0;
       ${lan0.name} = mkInterface lan0;
       ${lab0.name} = mkInterface lab0;
       ${guest0.name} = mkInterface guest0;
@@ -58,15 +59,19 @@ in {
     vlans = with vars.interfaces; {
       ${lab0.name} = {
         id = 2;
-        interface = "${lan0.name}";
+        interface = "${enp2s0.name}";
       };
       ${guest0.name} = {
         id = 9;
-        interface = "${lan0.name}";
+        interface = "${enp2s0.name}";
+      };
+      ${lan0.name} = {
+        id = 10;
+        interface = "${enp2s0.name}";
       };
       ${iot0.name} = {
         id = 66;
-        interface = "${lan0.name}";
+        interface = "${enp2s0.name}";
       };
     };
 

nixos/routnerr-2/nftables.nix

@@ -29,8 +29,7 @@ let
   wan0 = vars.interfaces.wan0.name;
 
   # LAN interfaces, segmented into trusted, limited, and untrusted groups.
-  trusted_lans =
-    [ vars.interfaces.lan0 vars.interfaces.lab0 vars.interfaces.wg0 ];
+  trusted_lans = with vars.interfaces; [ enp2s0 lan0 lab0 wg0 ];
   limited_lans = [ vars.interfaces.guest0 ];
   untrusted_lans = [ vars.interfaces.iot0 ];